Embedded malware: the next frontier of bad

If you are looking for reasons to be optimistic and happy with the state of computer security, don’t read this article. Several governments have banned Lenovo computers from their intelligence operations, citing concerns over possible security “back doors” designed into the integrated circuits that make these computers operate. Using one of these back doors, an unwanted guest could gain access to your computer and snoop on what you’re doing, gathering all sorts of data you might not want them to have. This would occur completely without your knowing anything nefarious was going on.

Usually, when we think of security attacks, we tend to focus only on the software variety: malicious packages of bytes written in computer code and neatly wrapped up as an application that runs on your machine. A huge and successful industry has sprouted up to fight such malware. For example, I use Avast to monitor my computer constantly, scanning each file I download and each application I run to make sure it is safe. Lots of anti-malware solutions exist and do a good job protecting us from bad software.

Now, thanks to “malicious circuits”, the fight has spread to the hardware that makes up your machine. These attacks, or at least the fear of such attacks, are not new, as there have been suspicions that certain brands of network routers and switches contain “faulty” chips that have back doors secretly built into their design. There have also been concerns that the firmware – the low-level software embedded into these devices that help control what they do – can be exploited to provide such unwanted access. This Lenovo disclosure, however, is the first instance I’ve seen of a computer manufacturer coming under fire for possible compromises of its hardware design.

It doesn’t help that Lenovo is the world’s number one PC manufacturer. Or that it is partially owned by the Chinese government.

Sometimes heading out to that cabin in the woods with a 24-pack of Leinenkugel’s far away from 4G and Wi-Fi sounds like heaven. (Wait. Sometimes?) But that’s not an option for most of us. Short of that, I hope the computer industry will start to employ a system like the one car makers use to describe where the parts in their automobiles were made. Box labels that stated something like “This computer was made with 97% US-sourced components” might provide some reassurance to customers. Even better would be a system like what food manufacturers provide to certify that something is peanut-free. If computer manufacturers could establish a certification process that identified manufacturing facilities as being “certified mal-circuit free”, that would be extremely helpful and a possible selling point.

In the meantime, I’ll keep daydreaming about living computer-free in the Northwoods.